ExpressWay


Contents

Intro


Finally did a machine which didn't have a webapp hosted on it, it was a breath of fresh air haha. Good luck to anyone else trying to do this box!

User


sudo nmap -sC -sV 10.129.238.52

22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)

Starting off with nmap, we can see that there's only a single port open, which is SSH on port 22, which doesn't help a whole lot - attacks on SSH directly are far and few between. We can, however, run a UDP scan with -sU to check for services running over UDP.

sudo nmap -sU -sV 10.129.238.52

500/udp open  isakmp

Port 500 is running a key exchange protocol, which gives us an opening:

sudo ike-scan -A -P hash.txt 10.129.238.52

    [email protected]

Warning

Running without -A would have hid ike and the PSK hash, doing it with in aggressive mode results in an unencrypted attack however.

With this scan, we found a user on our target machine, alongside a pre-shared key's hash, which we can decrypt with hashcat:

hashcat hash.txt /usr/share/wordlists/rockyou.txt

This gives us ike's password, freakingrockstarontheroad, which then lets us SSH onto the machine.

Root


After running linpeas.sh, I noticed right off the bat how the version of sudo is outdated (1.9.17) - this is a known CVE (CVE-2025-32463) with a PoC we can exploit.

- sudo enters --chroot directory before checking permissions

- Process looks for etc/nsswitch.conf inside wrong folder which points to a shared library we made

- sudo executes .so file with root privileges

This allows us to get root flag without any hassle!